Simple Security is a Better Bet

Last week I met with a firm to discuss compliance strategy for data privacy protection of Personally Identifiable Information (PII). A number of the state laws were potentially in play, including Massachusetts 201 CMR 17. We discussed what applications and databases were in use, how information moved, and some of their specific in house issues. Then I discussed the different technology options for each platform that were available, specifically mentioning what threats the products addressed, and the relative cost of implementation and maintenance. That is the point that, even over the phone, I could hear heads spinning on the other side of the line. Too. Much. Information. And far to complex for them to come away with any coherent strategy or action plan. Forget running, we needed to get to crawl. It was clear they did not have the time, the manpower, nor the budget to go through the full analysis process. And even if they did, it would have ended up with a half-dozen separate and distinct projects, each with their own learning curve, each with a different product to obtain, each with a different skill for managing.

That’s were we simply cut to the chase: I advised a single technology, in two specific implementations, that provided basic security across all the platforms for all of the use cases.

Why? Because it was going to address most of the issues they had — they were not even fully aware of the issues they needed to address — and it was within their capability to implement. I hate to do this as sometimes it feels like compliance for the sake of compliance. Personally I like to pick tools and technologies that best fit my category of need, be it compliance, security or whatever. That said, sometimes best of breed is not possible. Selecting ‘the best’ technical solutions app by app created project and operational complexity that would simply never work in this case.

I’ve talked a lot on this — and the Securosis blog – about how complexity makes it harder to do security. Certainly guys like Bruce Schneier and Dan Geer have covered this in great detail as well. Examples I’ve witnessed first hand are things like security settings being difficult to check made it more likely people will make a mistake or skip the process entirely. If code is hard to read then code reviews are less effective. Complexity makes things hard to understand and, in turn, result in less effective security. In this case complexity from an implementation and management perspective. Getting 90% of the way home was better then outright failure.

Does this sound cliche? Sure it does. Do companies till bite off more than they can chew? Absolutely. The person who wants the work done is a specialist and wants things done to their standards, often which are beyond IT’s capabilities. It’s a reality for many IT organizations that the best choice is often the simplest to implement, or the simplest to use.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security analyst firm. Special to Dark Reading.